 |
Ensuring the safety of your customers' cardholder information can help your business strive to create and maintain a positive image, enhance customer confidence and even assist in improving your bottom line.
As part of Moneris' ongoing provision of credit and debit card processing services, we want to provide you with some critical information regarding the Payment Card Industry (PCI) Data Security Standard (DSS) and the Card Association Compliance Programs
It is important to note that all Merchants and Service Providers that store, process, or transmit cardholder data must comply with PCI DSS and the Card Association Compliance Programs. However, certification requirements vary by business and are contingent upon your "Merchant Level" or "Service Provider Level". Failure to comply with PCI DSS and the Card Association Compliance Programs may result in a Merchant being subject to fines, fees or assessments and/or termination of processing services.
To help our clients protect their customers' cardholder data and maintain PCI-DSS compliance, Moneris has established the Moneris PCI Program with our partner, Trustwave, a leading provider of PCI DSS compliance services for merchants. In joining forces with Trustwave, the Moneris PCI Program provides you with all the tools you need to successfully complete the steps necessary to help your business validate compliance to PCI DSS and protect your business for the long-term through data security best practices.TO BEGIN YOUR COMPLIANCE VALIDATION TODAY,please visit https://pci.trustwave.com/moneris If you need assistance or require more information, please call Moneris Customer Service at 800-471-9511.
The PCI DSS is enforced by the Card Associations (American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International). Moneris has taken the steps to provide our valued clients with necessary information and associated links to assist in assessing the actions your business should take to ensure that you are compliant.
About PCI DSS
PCI DSS is a global data security standard that was established by VISA International and MasterCard Worldwide in December 2004. PCI DSS was the result of the alignment of the data security standards included in the VISA International and MasterCard Worldwide data security programs. PCI DSS proceeded to be endorsed by American Express, Discover Financial Services, and JCB. In September 2006 the five major credit card payment networks announced the formation of an independent body, PCI Security Standards Council, to develop and maintain the evolution of PCI DSS.
PCI DSS was created to ensure the protection of cardholder data. Due to some high profile security breaches it became apparent that a global set of data security standards was required to assist merchants and service providers in meeting the requirements. Based on twelve principle requirements, PCI DSS requires merchants to make their physical and virtual environments secure to ensure protection of cardholder data. All merchants that accept credit cards as a form of payment, and all service providers involved in the processing of credit card transactions are required to be compliant with PCI DSS.
Twelve Principle Requirements of PCI DSS
PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.
Below are the twelve principle requirements of PCI DSS:
Card Association Compliance Programs
The Card Associations have each developed their own compliance program to ensure merchants and service providers are compliant with PCI DSS. Each program has specific validation requirements which must be followed for the Card Associations to recognize certification to PCI DSS. Some key differences in the programs include; validation levels, validation requirements, approved third party assessors.
Below is a list of the Card Association compliance programs:
Importance of PCI DSS Compliance and/or Certification
Moneris strongly endorses the need for more stringent standards regarding the handling of cardholder data. In addition, we are taking proactive measures to ensure that all merchants adopt these standards and maintain compliance on an on-going basis.
Compliance with the PCI DSS is mandatory. If you and your service providers are not compliant with PCI DSS, the Card Associations could levy fees and fines against you and your credit card processing services could be terminated. Your obligation to comply with the Card Associations' rules and regulations (including those related to security standards) is detailed in your agreement with Moneris.
Compliance means all requirements of the PCI DSS have been met. To become certified, an entity must engage the services of QSA to validate an entity’s compliance to PCI DSS. The QSA will work on identifying areas of non-compliance. The merchant must remedy each area of non-compliance. Once all areas of non-compliance have been addressed the QSA will re-evaluate and issue confirmation of compliance. Certification to PCI DSS is at the merchant's expense.
Merchant Levels and Validation Requirements
It is important to note that all merchants that store, process, or transmit cardholder data must comply with the PCI DSS regardless of the volume of transactions processed or the method in which they are processed. However, certification requirements vary by business and are contingent upon your "Merchant Level".
| Merchant Level Description & Validation Requirements | ||||
| Level | Level Description | Validation Requirements |
Validated By | Validation Due Date |
| 1 |
VISA & MasterCard
|
Annual On-site PCI Data Security Assessment
|
Qualified Security Assessor (QSA) or Internal Audit if signed by Officer of the company |
VISA September 30, 2004 MasterCard June 30, 2005
|
| Quarterly Network Scan | Approved Scanning Vendor (ASV) | |||
| 2 |
VISA & MasterCard |
Annual PCI Self Assessment Questionnaire
|
Merchant |
VISA September 30, 2007
MasterCard December 31, 2008 |
| Quarterly Network Scan | Approved Scanning Vendor (ASV) | |||
| 3 | VISA & MasterCard |
Annual PCI Self Assessment Questionnaire | Merchant |
VISA & MasterCard June 30, 2005
|
| Quarterly Network Scan | Approved Scanning Vendor (ASV) | |||
| 4 |
VISA & MasterCard
|
Annual PCI Self Assessment Questionnaire
|
Merchant | Acquirer's discretion |
| Quarterly Network Scan | Approved Scanning Vendor (ASV) | |||
Third Party Service Providers
All third party service providers that store, process, or transmit cardholder information on behalf of a merchant are required to comply with PCI DSS. In addition all service providers are required to validate their compliance to PCI DSS through the services of a QSA.
PCI Security Standards Council
The five major credit card networks (American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International) announced the formation of an independent body to manage the ongoing evolution of the PCI DSS.
The PCI Security Standard Council will:
Helpful/Related Links
For more information on PCI DSS and the card association compliance programs please review the following websites: